CVE-2023-43498
Description
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins temporary file handling vulnerability allows attackers with file system access to read/write upload files before use.
Vulnerability
Description
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, the processing of file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files [1]. This behavior does not adequately restrict access to these temporary files, potentially exposing them to other users or processes on the system.
Exploitation
Conditions
An attacker must have access to the Jenkins controller file system to exploit this vulnerability. With such access, the attacker can read or write the temporary files before they are processed or moved to their intended location [1]. No authentication is required beyond the ability to access the file system.
Impact
Successful exploitation could lead to information disclosure if sensitive data in the uploaded files is read, or arbitrary file write if the attacker modifies the temporary files before they are used. This could compromise the integrity or confidentiality of the Jenkins instance.
Mitigation
The issue is addressed in Jenkins 2.424 and LTS 2.414.2, as announced in the Jenkins Security Advisory 2023-09-20 [2][3]. Users are advised to upgrade to these versions or apply any available workarounds recommended by the vendor.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | >= 2.50, < 2.414.2 | 2.414.2 |
org.jenkins-ci.main:jenkins-coreMaven | >= 2.415, < 2.424 | 2.424 |
Affected products
3- osv-coords2 versions
< 2.424.0+ 1 more
- (no CPE)range: < 2.424.0
- (no CPE)range: >= 2.50, < 2.414.2
- Jenkins Project/Jenkinsv5Range: 2.424
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-hq87-h4jg-vxfwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-43498ghsaADVISORY
- www.jenkins.io/security/advisory/2023-09-20/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/09/20/5ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-09-20Jenkins Security Advisories · Sep 20, 2023